Digital rights management system and method

ABSTRACT

The present invention concerns application of digital rights management to industrial automation devices including programmable logic controllers (PLCs), I/O devices, and communication adapters. Digital rights management involves a set of technologies for controlling and managing access to device objects and/or programs such as ladder logic programs. Access to automation device objects and/or programs can be managed by downloading rules of use that define user privileges with respect to automation devices and utilizing digital certificates, among other things, to verify the identity of a user desiring to interact with device programs, for example. Furthermore, the present invention provides for secure transmission of messages to and amongst automation devices utilizing public key cryptography associated with digital certificates.

TECHNICAL FIELD

The present invention relates generally to industrial control systemsand more particularly towards digital rights management and securecommunication to and amongst industrial automation devices.

BACKGROUND

Industrial controllers are special-purpose computers utilized forcontrolling industrial processes, manufacturing equipment, and otherfactory automation, such as data collection or networked systems. Inaccordance with a control program, the industrial controller, having anassociated processor (or processors), measures one or more processvariables or inputs reflecting the status of a controlled system, andchanges outputs effecting control of such system. The inputs and outputsmay be binary, (e.g., on or off), as well as analog inputs and outputsassuming a continuous range of values.

Measured inputs received from such systems and the outputs transmittedby the systems generally pass through one or more input/output (I/O)modules. These I/O modules serve as an electrical interface to thecontroller and may be located proximate to or remote from the controllerincluding remote network interfaces to associated systems. Inputs andoutputs may be recorded in an I/O table in processor memory, whereininput values may be asynchronously read from one or more input modulesand output values written to the I/O table for subsequent communicationto the control system by specialized communications circuitry (e.g.,back plane interface, communications module). Output modules mayinterface directly with one or more control elements, by receiving anoutput from the I/O table to control a device such as a motor, valve,solenoid, amplifier, and the like.

At the core of the industrial control system, is a logic processor suchas a Programmable Logic Controller (PLC) or PC-based controller.Programmable Logic Controllers for instance, are programmed by systemsdesigners to operate manufacturing processes via user-designed logicprograms or user programs. The user programs are stored in memory andgenerally executed by the PLC in a sequential manner althoughinstruction jumping, looping and interrupt routines, for example, arealso common. Associated with the user program are a plurality of memoryelements or variables that provide dynamics to PLC operations andprograms. These variables can be user-defined and can be defined asbits, bytes, words, integers, floating point numbers, timers, countersand/or other data types to name but a few examples.

Presently, industrial control systems have no viable means ofcontrolling and managing access to industrial control programs anddocuments. Furthermore, there is little or no mechanism to securecommunications to and amongst industrial control devices. In fact, onecould purchase automation device control software load it on a computerand if they gain access to a local industrial system network couldupload, download, and otherwise manipulate the operations ofsubstantially all automation devices therein. Failure to providereliable and secure communication devices such as controllers and I/Odevices can at the very least be fiscally detrimental to a companyemploying such systems as some company employees could inadvertently orintentionally make changes to systems that cause a plant to shut down ofoperate inefficiently. Moreover, in today's world of corporate espionageand terrorism, vulnerable factory systems make for tempting targets. Inextreme cases, vulnerable manufacturing systems can expose secureinformation such as trade secret processes. Moreover, the infiltrationof malicious programs can result in catastrophic property damage andpossibly loss of human life. Accordingly, there is a need in the art fora system and method of secure device communications and digital rightsmanagement in industrial control systems.

SUMMARY OF THE INVENTION

The following presents a simplified summary of the invention in order toprovide a basic understanding of some aspects of the invention. Thissummary is not an extensive overview of the invention. It is notintended to identify key/critical elements of the invention or todelineate the scope of the invention. Its sole purpose is to presentsome concepts of the invention in a simplified form as a prelude to themore detailed description that is presented later.

One aspect of the present invention relates to a system and method ofdigital rights management for automation devices. An access componentcan be employed by select individuals or entities to define accessrules. Access rules define the rights and privileges of individual usersor entities with respect to automation devices programs, processes andother documents. For example, user A could be allowed to modify aladder-logic program, while user B could only be allowed to viewportions thereof. In addition, it should be appreciated that one or moreindividuals or entities can be identified by their role or positionwithin an automation system. Hence, access rules can be defined based onroles. For example, only administrators are allowed to modify a program.Furthermore, digital certificates can be employed to facilitateidentification of individuals and/or entities desirous of accessing ormanipulating automation device programs, for instance. Additionally,other identification mechanisms can be employed separately or incombination with certificates to aid in identifying particular usersincluding but not limited to subscriber identification module cards (SIMcards) and biometrics.

Another aspect of the invention provides for secure communication to andamongst industrial automation devices including controllers and I/Odevices or modules. According to one aspect of the present invention,messages such as commands, programs, and data transfer are securelycommunicated employing public-key cryptography. In accordance therewith,automation devices can encrypt messages with a private key associatedwith and held in confidence by a particular device. Such a key can bebuilt into an automation device (as well as other information andcomponents such as the corresponding public key) according to aparticular aspect of the invention. Alternatively, the key can beretrieved from a certification component, as described below. A messagereceiving automation device can then utilize a public key related to aparticular private key to decrypt and subsequently read and/or processthe sent message.

According to another aspect of the subject invention, a certificationcomponent can be employed locally within an industrial automationsystem. The certification component provides a local trusted authorityto verify the identity of devices. In other words, I/O devices canidentify themselves to controllers as real with a degree of certaintyprovided by the trusted certification component and controllers canidentify themselves as real and deserving of trust to I/O devices. Thecertification component, therefore, provides a local mechanism toprevent spoofing or impersonation by malevolent persons or entitieswithin a public key infrastructure.

According to another aspect, the subject invention can employ digitalsignatures to authenticate transmitted messages. In particular, hashfunctions or algorithms can be applied to a message to produce a messagedigest, which can be transmitted with the message and informationregarding the hash function utilized to generate the message digest.Upon receipt of the digitally signed message component, the receivingautomation device can employ provided hash information to generate amessage digest utilizing the received message. If the message digestdoes not match the message digest provided with the sent message then auser or entity should be notified that the data has been corruptedduring transmission.

According to still another aspect of the present invention, certificatescan be utilized in conjunction with digital signatures to provideoptimal security for communications between and amongst industrialautomation devices.

The present invention is advantageous in that it provides a mechanismfor secure communications amongst automaton devices, does not requireInternet connectivity, or employment and payment of a third partyprovider of certificate authority service (e.g., VeriSign™).Furthermore, access to and use of automation devices programs and otherdocuments can be securely managed utilizing certificates as onemechanism for identifying users or entities.

To the accomplishment of the foregoing and related ends, certainillustrative aspects of the invention are described herein in connectionwith the following description and the annexed drawings. These aspectsare indicative of various ways in which the invention may be practiced,all of which are intended to be covered by the present invention. Otheradvantages and novel features of the invention may become apparent fromthe following detailed description of the invention when considered inconjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other aspects of the invention will become apparentfrom the following detailed description and the appended drawingsdescribed in brief hereinafter.

FIG. 1 is a schematic block diagram of digital rights management systemin accordance with an aspect of the subject invention.

FIG. 2 is a schematic block diagram of a secure method of communicationsutilizing a certification component in accordance with an aspect of thepresent invention.

FIG. 3 is a schematic block diagram of an exemplary certificatecomponent in accordance with an aspect of the present invention.

FIG. 4 is a schematic block diagram of a certificate management systemin accordance with an aspect of the subject invention.

FIG. 5 is a schematic block diagram of an automation devicecommunication system in accordance with an aspect of the presentinvention.

FIG. 6 is a schematic block diagram of a digital signature generationsystem in accordance with an aspect of the subject invention.

FIG. 7 is a schematic block diagram of a digital signature messagecomponent in accordance with an aspect of the present invention.

FIG. 8 is a flow chart diagram of an automation device digital rightsmethodology in accordance with an aspect of the subject invention.

FIG. 9 is a flow chart diagram of an automation device communicationmethodology in accordance with an aspect of the subject invention.

FIG. 10 is a flow chart diagram of an automation communicationmethodology in accordance with an aspect of the present invention.

FIG. 11 is a flow chart diagram illustrating an automation communicationmethodology in accordance with an aspect of the present invention.

FIG. 12 is a schematic block diagram illustrating a suitable operatingenvironment in accordance with an aspect of the present invention.

DETAILED DESCRIPTION

The present invention is now described with reference to the annexeddrawings, wherein like numerals refer to like elements throughout. Itshould be understood, however, that the drawings and detaileddescription thereto are not intended to limit the invention to theparticular form disclosed. Rather, the intention is to cover allmodifications, equivalents, and alternatives falling within the spiritand scope of the present invention.

As used in this application, the terms “component” and “system” areintended to refer to a computer-related entity, either hardware, acombination of hardware and software, software, or software inexecution. For example, a component may be, but is not limited to being,a process running on a processor, a processor, an object, an executable,a thread of execution, a program, and/or a computer. By way ofillustration, both an application running on a server and the server canbe a component. One or more components may reside within a processand/or thread of execution and a component may be localized on onecomputer and/or distributed between two or more computers.

Furthermore, the present invention may be implemented as a method,apparatus, or article of manufacture using standard programming and/orengineering techniques to produce software, firmware, hardware, or anycombination thereof. The term “article of manufacture” (oralternatively, “computer program product”) as used herein is intended toencompass a computer program accessible from any computer-readabledevice, carrier, or media. For example, a computer readable media caninclude but is not limited to magnetic storage devices (e.g., hard disk,floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk(CD), digital versatile disk (DVD) . . . ), smart cards, and flashmemory devices (e.g., card, stick). Of course, those skilled in the artwill recognize many modifications may be made to this configurationwithout departing from the scope or spirit of the subject invention.

Turning initially to FIG. 1, a digital rights management system 100 isillustrated in accordance with an aspect of the subject invention.Digital rights management system 100 comprises control component 110,certification component 120, access component 130, industrial automationdevice(s) 140, access credential component 150, virtual key component160, and physical key component 170. Control component 110 can be partof a control program utilized to interact and manage industrialautomation device(s) 140. Industrial automation devices 140 can includebut are not limited to programmable logic controllers, I/O devices, andcommunication adapters (e.g., bridge, gateway . . . ). Furthermore, asused herein automation devices can also refer to one or more computersutilized to program and otherwise transmit information to logiccontrollers with in an industrial automation environment. Controlcomponent 110 comprises a certification component 120. Certificationcomponent 120 can issue and manage digital certificates utilized tocreate digital signatures and public-private key pairs. Certificationcomponent 120 can be utilized in conjunction with a local computer ornetwork device, thereby eliminating the need to connect to a wide areanetwork such as the Internet to utilize a third party certificateauthority such as VeriSign™.

Access component 130 can also be included in control component 110.Access component 130 provides a mechanism for defining rights toautomation device objects and processes. Access component can utilizecertificates as a means of identifying a user or entity and associatingrules of use. For example, a user or entity can be allowed to monitorcontrol logic and not edit or download a new program. Alternatively, auser or entity may only be allowed to view certain portions of a programor create input rungs and not output rungs in a ladder logic program. Inbrief, the subject invention can support any rule of use that can bespecified. Hence, access to industrial control device processes can alsobe specified to be limited based on a further means of identification inaddition to that established by digital certificates, as described inmore detail, infra. Once rules of use are specified they can bedownloaded to an automation device 140. It should be appreciated thataccess to the access component itself needs to be secure. Accordingly,certificates can be utilized to verify and gate access to the accesscomponent 130. However, other systems and methods of permitting onlyauthorized users to log into the access component 130 can also beemployed (e.g., password, cards, biometrics . . . ).

Industrial automation device(s) 140 can comprise, inter alia, an accesscredential component 150. Access credential component 150 can include alist of rules of use associated with particular users or entities asprovided by the access component 130, for example. One important aspectof providing security, involves properly identifying users or entities.According to one aspect of the invention, identification can be based oncertificates provided by a local certification component 120. However,identification can also be based on other means and mechanisms includingbut not limited to subscriber identity module cards (SIM cards) or othersmart cards. For example, SIM cards can be issued to users providing anencrypted personal id (PID) that can be read by an industrial automationdevice 140 (e.g., by inserting the card into a slot on the controller).This can provide an additional or separate layer of security to insurethat the proper rules of use are associated with the proper individual.Furthermore, it should be appreciated that other means of identificationcan be employed herewith such as biometrics (e.g., fingerprint, retinalscan, hand geometry, facial features, voice recognition . . . ).

Certificates can be utilized alone or in conjunction with other means ofidentification. Virtual key component 140 is adapted to retrieveidentification information from certificates. Physical key component 150provides a mechanism for retrieving identification information fromother physical sources such as SIM cards and biometric interfaces.Identifying information provided by either or both of the virtual andphysical key components can be employed to verify identity and permitaccess in accordance with the rules as specified in the accesscredential component 150.

Turning to FIG. 2, a system of secure automation device communication200 is depicted in accordance with an aspect of the subject invention.System 200 comprises a plurality of industrial automation devices 140(automation device₁, automation device₂ through automation device_(N),where N is an integer greater than or equal to one), and a certificationcomponent 120. Industrial automation devices 140 correspond to specialpurpose computers including industrial controllers for controllingindustrial processes, manufacturing equipment, and other factoryautomation as well as input/output (I/O) devices that receive andexecute commands from industrial controllers. The present invention canutilize symmetric key cryptography or asymmetric or public keycryptograph to facilitate secure communication to and amongst industrialautomation devices 140. Symmetric key cryptography utilizes one commonkey known to both a sender and a receiver to encrypt and decryptmessages. Public key cryptography employs two keys: a public key and aprivate key. These keys are algorithms that are mathematically relatedsuch that one key can sign or encrypt a message and the other can verifyor decrypt the message. Either of the two keys in a public keycryptography system can sign or encrypt a message so long as the otherkey provides the opposite functionality, to wit verification ordecryption. In other words, the key pairs are inverse functions of oneanother; data manipulation by one key can be undone by the other andvice-versa. The primary difference between keys is that a private key isheld securely by a device while the public key can be widely distributedor accessible to local networked industrial automation devices 140, forexample. A public key can be widely distributed at least because it iscomputationally infeasible to deduce the private key of a private-publicpair from a single public key. Accordingly, if automation device₁ wishedto send a secure message such as a control command or program toautomation device₂, then device₁ could encrypt the message with itsprivate key and transfer the message to device₂. Subsequently, device₂could retrieve the widely disseminated public key associated with theprivate key to decrypt and thereafter process the received message.However, a problem exists when communicating using public keys which isthat although the message may be securely transferred, there is no wayto know with any degree of certainty that device₁ is actually associatedwith the retrieved public key. A malicious individual or entity couldsend a message to device₂ claiming to be device₁. More specifically,deceptive spoofing or impersonation could occur if a message wasencrypted with a private key of some computer related entity and thecorresponding public key indicates that it belongs to device₁, forexample. Hence, there needs to be a way to verify that the widelydistributed or accessible key is actually associated with the particulardevice with which it claims to be associated. Otherwise, securitybreaches can occur within an industrial system that can at the veryleast be fiscally detrimental to a company employing an industrialsystem. More importantly, security breaches could result in catastrophicdamage to automation devices 140 and physical property as well as thepossible loss of human life. Accordingly, there needs to be a way toverify that a controller issuing commands to an I/O device is thecontroller it appears to be and that the I/O device is the proper devicesought to be controlled. Utilizing digital certificates is one way toaddress this problem.

Certification component 120 issues and manages certificates utilized tocreate digital signatures and public-private key pairs. Certificationcomponent 120 can be utilized in conjunction with a local computer ornetwork device, thereby eliminating the need to connect to a wide areanetwork such as the Internet to utilize a third party certificateauthority such as VeriSign™. Turning briefly to FIG. 3, an exemplarycertificate component 300 is depicted in accordance with an aspect ofthe subject invention. A certificate component 300 (or simply acertificate) can comprise a public key 310, automation device or username or ID 320, a validity period 330, and a certification authoritysignature 340, among other things. The public key 310 is utilized todecrypt or alternatively encrypt a message in accordance with a publickey cryptographic system. The automation device or user name or ID 320identifies the automation device or user that is associated with thepublic key 210. Furthermore, according to an aspect of the presentinvention the ID 320 can also identify a user role or position (e.g.,administrator). Validity period 330 specifies a period of time in whichthe certificate 300 is valid. After expiration of the validity periodthe certificate may be unavailable for use or may be available butunable to guarantee trustworthiness. The validity period 330 is inessence an extra security precaution to ensure data reliability.Certificate authority signature 340 can also be included in thecertificate component 300. Certificate authority signature 340 isavailable to facilitate verification of the authenticity and integrityof the certificate component 300 data. The signature can be verifiedutilizing a series of steps and components as described in detail inlater sections. Certificate signature 340 is often useful during set-upwhen an automation device does not initially recognize thetrustworthiness of the certificate. Once initially validated thecertificate signature can be assumed to be reliable unless some otherincident occurs to challenge that assumption such as expiration of thevalidity period or revocation of the certificate by the certificationcomponent 120 (FIG. 2). It should be appreciated that the certificatecomponent 300 can be a X.509 digital certificate which is a conventionaland widely used standard for digital certificates that has beenrecommended by the International Telecommunications Union (ITU).

Returning briefly to FIG. 2, once industrial automation devices 140 areinstalled, for example in a factory, they can request or be programmedto receive certificates from certification component 120. Certificationcomponent 120 can then generate a private public key pair and provide adevice 140 with a unique private key. In addition, the certificatecomponent can generate a particular certificate that identifies a deviceand contains the public key that corresponds to the private key issuedto the device. Alternatively and in accordance with an aspect of thepresent invention, each automation device 140 can be designed to includea private key and a built-in certificate providing, inter alia, thecorresponding public key of the public-private key pair. Uponinstallation into an industrial automation system, the automation device140 can simply provide certification component 120 with a certificatecomponent 300 to facilitate wide spread access and/or distributionthereof.

Turning to FIG. 4, a certificate management system 400 is illustrated inaccordance with an aspect of the present invention. Certificatemanagement system comprises a certification component 120 and acertificate store 410. Upon generation of a certificate component 300(FIG. 3), the component can be stored in a certificate store 410. Thecertificate store acts as an organized repository for certificatecomponents. For example, certificate store 410 can store certificates asrecords 420 in a table of records 430. Accordingly, each record cancontain field corresponding to the parts of a certificate includingdevice ID 440 and public key 450. Once and industrial system is properlyset up in accordance with an aspect of the invention, each automationdevice can have a certificate stored in the certificate store whichsupplies, inter alia, an automation device name or ID and its associatedpublic key. Thereafter, automation devices can communicate between andamongst themselves securely employing certificates, thereby allowing theidentity of each device sending a message being known with a much higherdegree of certainty would otherwise be known without certificates.

FIG. 5 depicts a system 500 of secure automation device communication inaccordance with an aspect of the subject invention. Communication system500 includes a certification component 120, automation devices 140(i.e., automation device₁ and automation device₂), certificatecomponent(s) 300, private keys 510, and secure message component 520.Automation devices 140 can communicate securely via wire or wirelesslyutilizing certificate components 300 and private keys 510. For example,if device₁ wished to communicate a message such as a program (e.g.,programmable logic controller (PLC) program) to device₂, then device₁can utilize its private key 510 to encrypt the message and therebycreating a secure message component 520 which can be transmitted todevice₂. Upon receipt of the secure message component 520, device₂ cansearch locally to determine weather or not it has the public key and thecertificate stored associated with the encrypted message. If it does nothave the certificate and key, then device₂ can request and receive theappropriate certificate from the certification component 120.Alternatively, device₂ could retrieve the certificate from a certificatedatabase or store (not shown). However, it should be appreciated thatallowing direct access to certificates is not as secure as going thoughan intermediary such as certification component 120, at least becausecertificates could be tampered with and corrupted. Once device₂ locatesthe appropriate certificate it can utilize the public key to decrypt thekey, verify its digital signature (described in the next section), andread or process the message. It should also be appreciated and notedthat the nature of public-private key pairs enables communication to becommunicated in an inverted manner. For example, assuming again thatdevice₁ desires to communicate a message or program to device₂, thendevice₁ could first try and locate the certificate associated withdevice₂ with which it would like to communicate. First device₁ couldsearch locally to determine whether it had previously loaded thecertificate for device₂. If the certificate was not previously loaded,device₁ can request and download the certificate from the certificationcomponent 120 or alternatively from a certificate data store, asdiscussed supra. Once in possession of the certificate, device₁ canutilize the particular public key associated with the certificate toencrypt a message or program thereby creating a secure message component520 that can subsequently be transmitted to device₂. Device₂ can thenreceive the message component, decrypt it utilizing its private key 510,and then validate or authenticate the message utilizing a digitalsignature, as discussed hereinafter.

FIG. 6 illustrates a digital signature system 600 in accordance with anaspect of the subject invention. Digital signatures can be utilized toverify the integrity of transmitted data. In particular, digitalsignatures can ensure that a message receiver can confirm that themessage has not been altered during transmission. Accordingly, anindustrial automation device could verify that a program transferredfrom a controller, for example, has not been corrupted. Digitalsignature system 600 comprises a hash component 610, a digitally signedmessage component 620, an encryption component 630, an encrypted messagecomponent 640, a decryption component 650, and an authenticationcomponent 660. Hash component 610 is adapted to receive a message suchas a PLC program from an automation device. The hash component 610 canthen apply a hash function to the message. A hash function transforms avariable size input message into fixed size output string. This outputor message digest is typically much smaller than the variable sizeinput. Furthermore, the hash function is “one way”, meaning that it iseasy to convert a message to a message digest, but computationallyinfeasible to determine the input message given the message digest andthe hash function. Additionally, the hash function can be collision freeor a degree thereof. Hash functions map variable length message to fixedsize output hashed, consequently there is some potential for some inputsto map to the same output hash. However, this problem can be averted formost purposes by selecting particular types of hash functions. Forexample, a hash function is weakly collision free if given an input X itis computationally infeasible to locate another input Y that maps to thesame output (H(X)=H(Y)). A strongly collision free hash function is onein which it is computationally infeasible to find two inputs that map tothe same output. Conventionally well known hash functions that can beemployed in accordance with the subject invention including but notlimited to MD5 (Message Digest 5 developed by Rivest) and SHA (SecureHash Algorithm developed by the National Institute of Standards andTechnology). Subsequently the hash component can construct a digitallysigned message component 620.

Turning briefly, to FIG. 7, a digital signature message component 620 isillustrated in accordance with an aspect of the present invention.Digital signature message component 620 comprises a message 710. Themessage can be any information that an automation device would like tocommunicate to another automation device such as commands or a PLCprogram, for example. Message component also has a digital signaturecomponent 720 associated, linked, or embedded therewith. Digitalsignature component 720 includes message digest 722 and hash information724. Message digest 722 contains the output value of a hash functionapplied to the original message 710. As discussed supra, the messagedigest is a short and fixed length representation of a longer variablelength message. The message digest facilitates detection of alterationof a message in transit by comparing the provided message digest 722with a second digest generated on the received message by the receivingentity. Hash information 724 provides data concerning the actual hashfunction utilized to generate the message digest (e.g., MD5, SHA . . .). This information can then be utilized by the device receiving thedigital signature message component 620 to verify that the message sentis the same message received, by generating a second message digestutilizing hash information 722 and the received message and subsequentlycomparing the generated digest to the provided message digest 722. Ifthe two digests are not the same, then the receiving entity will knowthat the message as been altered.

Returning to FIG. 6, once the digital signature message component hasbeen generated it can be transmitted to and received by encryptioncomponent 630. The encryption component 630 can then utilize a sendingdevice's private key or the receiving device's public key to encrypt thedigital signature component 720 (FIG. 7) and/or the message component710 (FIG. 7) of the digital signature message component. Subsequently,an encrypted message component 640 can be created containing the messageand the digital signature component to be transmitted to another device.Such transmission can be via wire or wirelessly over a local areanetwork, for example. Decryption component 650 is adapted to receiveencrypted message components 640. Upon receipt, decryption component 650decrypts encrypted portions of a message component 640 by employingeither a public or private key associated with the corresponding key ofthe public-private key pair used to encrypt the message. For example, ifmessage portions were encrypted utilizing the public key of thereceiving device, then the receiving device can utilize its private keyfor decryption. Furthermore, it is to be appreciated that the decryptionprocess can utilize the aforementioned system for employing certificatesto verify that the message component is from the device it is supposedto be from. After an encrypted message component 640 is decrypted it ispassed to the authentication component 660. Authentication component660, reads the hash information contained in the digital signaturecomponent, retrieves the identified hash function, and applies it to thesent message to generate a message digest. The authentication component660 then compares the generated message digest with the message digesttransmitted with the digital signature message component 620. If theyare the same then the message has not been altered. If the digests aredifferent then the message has be tampered with or otherwise corrupted.The authentication component 660 can subsequently notify the receivingdevice if the message is corrupt. Furthermore, it should be noted andappreciated that the digital signature message component can betransmitted directly to the authentication component 660 bypassing theencryption and decryption components 630 and 650, if so desired.Encryption simply provides an additional level of security.

In view of the exemplary systems described supra, a methodology that maybe implemented in accordance with the present invention will be betterappreciated with reference to the flow charts of FIGS. 8-10. While forpurposes of simplicity of explanation, the methodology is shown anddescribed as a series of blocks, it is to be understood and appreciatedthat the present invention is not limited by the order of the blocks, assome blocks may, in accordance with the present invention, occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein.

Moreover, not all illustrated blocks may be required to implement themethodology in accordance with the present invention.

Additionally, it should be further appreciated that the methodologiesdisclosed hereinafter and throughout this specification are capable ofbeing stored on an article of manufacture to facilitate transporting andtransferring such methodologies to computers. The term article ofmanufacture, as used, is intended to encompass a computer programaccessible from any computer-readable device, carrier, or media.

FIG. 8 is a flow chart diagram illustrating a digital rights methodologyin accordance with an aspect of the subject invention. At 810, rules ofuse are defined. Rules of use can correspond to automation deviceprogram or process privileges. Such privileges can be defined forindividual users or their roles (e.g., administrator) or other entitiessuch as other automation devices. Rules can include rights to view,modify, download, and upload all or portions of an automation deviceprogram, inter alia. According, to one aspect of the subject inventionan automation device program can be a programmable logic controller(PLC) ladder logic program. At 820, the rules can be downloaded anautomation device such as a programmable logic controller (PLC) or I/Odevice. Next, at 830, interaction with the automation device is limitedbased on the rules and a user identity. User identity can be establishedutilizing digital certificates according to one aspect of the invention.For example, if a user wishes to download a program to a controller, thecontroller will first receive a certificate associated with the user andcompare it with its rules of use to determine if such user hasprivileges to download programs to the controller. Furthermore, itshould be appreciated that other methods and mechanisms can be employedalone or in combination with digital certificates to verify useridentity including but not limited to SIM or smart cards and biometricrecognition systems (e.g., fingerprint, retinal scan, hand geometry,facial features, voice recognition . . . ).

According to particular aspect of the invention, the methodology 800 canbe utilized to protect PLC logic programs. Hence, particular users maybe able to view and modify program rungs while others may only be ableto view portions of the program. This can be particularly advantageousin industries where control processes are held as trade secrets (e.g.,soft drinks, cleaning solutions . . . ). In such a scenario, the presentmethodology can be employed to limit access to the process to only a fewhigh level people, for example, to preserve secrecy.

In FIG. 9, an automation device communication methodology 900 isdepicted in accordance with an aspect of the present invention. At 910,a message is encrypted utilizing a key. The message can be commands orinstructions for example in an industrial automation device program(e.g. PLC program). The key is one of a public-private key pair as usedin public key cryptography. For example, the key can be a private keyassociated with the particular device sending the message. After themessage is encrypted, it can be transmitted to an automation device at920. Transmission can be via wire (e.g., Ethernet, power line, backplane. . . ) or wirelessly. Subsequently, another automation device canreceive the transmitted message at 930. At 940, the receiving automationdevice locates a certificate associated with the sending device. Forinstance, the device can search its local data store for thecertificate. Alternatively, the device can contact a certificationcomponent and download the certificate therefrom. The certificatecomponent is a trusted component, hence if the certificate states itcorresponds to a device one can assume with a high degree of certaintythat it is actually related to such a device rather than someimpersonating device. A certificate contains, inter alia, a public key.Once the appropriate certificate is located and loaded, the public keyassociated therewith can be employed at 950 to decrypt the sent message.Thereafter, the receiving automation device can process the message(e.g., execute a PLC program).

FIG. 10 depicts another automation device communication methodology 1000in accordance with an aspect of the subject invention. At 1010, adigitally signed message component is generated. The digitally signedmessage includes but is not limited to a message, a message digest andhash information or data. Such a message can be created by applying ahash function or algorithm to the message to be sent to generate amessage digest. As described supra, the message digest is a short fixedlength representation of a typically longer and variable length message.Hash information describes the hash algorithm utilized to generate thedigest (e.g., MD5, SHA . . . ). At 1020, the digitally signed message istransmitted via wire or wirelessly to an automation device. Theautomation device then receives the message at 1030. Subsequently, themessage is authenticated at 1040. Authentication comprises generating asecond message digest using the hash identified by the hash informationand the received message. The message digests are then compared. If thedigests are the same the message has been transmitted successfully.Alternatively, if the digests are not the same then the message has beentampered with or otherwise corrupted during the transmission to thedevice.

FIG. 11 depicts yet another automation device communication methodology1100 in accordance with an aspect of the subject invention. At 1110, adigitally signed message component is generated. Such a message can begenerated by applying a hash function or algorithm to a message toproduce a message digest. The message digest is a short fixed lengthrepresentation of a typically longer and variable length message.Subsequently, the message digest, information regarding the hashfunction utilized to produce the digest, and the original message arecombined into a single message component. At 1120, the generateddigitally signed message component is encrypted for example utilizingpublic key cryptograph. In accordance therewith, the first sendingautomation device can use its private key to encrypt the message to besent. Alternatively, the first automation device can employ a secondautomation device public key to encrypt the message. At 1130, theencrypted digitally signed message component is transferred to a secondautomation device over a local area network (e.g., via wire orwirelessly). The message is then received by the second automationdevice at 1140. At 1150, the message component is decrypted, for exampleemploying a public key provided by a certificate or a private keyassociated with the receiving device. Thereafter, the decrypted messageis authenticated at 1160. Authentication includes determining the hashalgorithm used to generate the message digest and producing a secondmessage digest on the received message using the same hash algorithm.The original message digest and information concerning the hashalgorithm used to construct the message digest can be transmitted withthe message in a message component. The original message digest and thelater created message digest can be compared to determine theauthenticity of the received message. If the digests are different thenthe receiving device can be notified that the message has beencorrupted. If the digests are the same the message sent can be assumedwith a high degree of certainty to be the same as the message received.

In order to provide a context for the various aspects of the invention,FIG. 12 as well as the following discussion are intended to provide abrief, general description of a suitable computing environment in whichthe various aspects of the present invention may be implemented. Whilethe invention has been described above in the general context ofcomputer-executable instructions of a computer program that runs on acomputer and/or computers, those skilled in the art will recognize thatthe invention also may be implemented in combination with other programmodules. Generally, program modules include routines, programs,components, data structures, etc. that perform particular tasks and/orimplement particular abstract data types. Moreover, those skilled in theart will appreciate that the inventive methods may be practiced withother computer system configurations, including single-processor ormultiprocessor computer systems, mini-computing devices, mainframecomputers, as well as personal computers, hand-held computing devices,microprocessor-based or programmable consumer electronics, and the like.The illustrated aspects of the invention may also be practiced indistributed computing environments where task are performed by remoteprocessing devices that are linked through a communications network.However, some, if not all aspects of the invention can be practiced onstand-alone computers. In a distributed computing environment, programmodules may be located in both local and remote memory storage devices.

With reference to FIG. 12, an exemplary environment 1210 forimplementing various aspects of the invention includes a computer 1212.The computer 1212 includes a processing unit 1214, a system memory 1216,and a system bus 1218. The system bus 1218 couples system componentsincluding, but not limited to, the system memory 1216 to the processingunit 1214. The processing unit 1214 can be any of various availableprocessors. Dual microprocessors and other multiprocessor architecturesalso can be employed as the processing unit 1214.

The system bus 1218 can be any of several types of bus structure(s)including the memory bus or memory controller, a peripheral bus orexternal bus, and/or a local bus using any variety of available busarchitectures including, but not limited to, 11-bit bus, IndustrialStandard Architecture (ISA), Micro-Channel Architecture (MSA), ExtendedISA (EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB),Peripheral Component Interconnect (PCI), Universal Serial Bus (USB),Advanced Graphics Port (AGP), Personal Computer Memory CardInternational Association bus (PCMCIA), and Small Computer SystemsInterface (SCSI).

The system memory 1216 includes volatile memory 1220 and nonvolatilememory 1222. The basic input/output system (BIOS), containing the basicroutines to transfer information between elements within the computer1212, such as during start-up, is stored in nonvolatile memory 1222. Byway of illustration, and not limitation, nonvolatile memory 1222 caninclude read only memory (ROM), programmable ROM (PROM), electricallyprogrammable ROM (EPROM), electrically erasable ROM (EEPROM), or flashmemory. Volatile memory 1220 includes random access memory (RAM), whichacts as external cache memory. By way of illustration and notlimitation, RAM is available in many forms such as synchronous RAM(SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rateSDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), anddirect Rambus RAM (DRRAM).

Computer 1212 also includes removable/non-removable,volatile/non-volatile computer storage media. FIG. 12 illustrates, forexample disk storage 1224. Disk storage 4124 includes, but is notlimited to, devices like a magnetic disk drive, floppy disk drive, tapedrive, Jaz drive, Zip drive, LS-100 drive, flash memory card, or memorystick. In addition, disk storage 1224 can include storage mediaseparately or in combination with other storage media including, but notlimited to, an optical disk drive such as a compact disk ROM device(CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RWDrive) or a digital versatile disk ROM drive (DVD-ROM). To facilitateconnection of the disk storage devices 1224 to the system bus 1218, aremovable or non-removable interface is typically used such as interface1226.

It is to be appreciated that FIG. 12 describes software that acts as anintermediary between users and the basic computer resources described insuitable operating environment 1210. Such software includes an operatingsystem 1228. Operating system 1228, which can be stored on disk storage1224, acts to control and allocate resources of the computer system1212. System applications 1230 take advantage of the management ofresources by operating system 1228 through program modules 1232 andprogram data 1234 stored either in system memory 1216 or on disk storage1224. It is to be appreciated that the present invention can beimplemented with various operating systems or combinations of operatingsystems.

A user enters commands or information into the computer 1212 throughinput device(s) 1236. Input devices 1236 include, but are not limitedto, a pointing device such as a mouse, trackball, stylus, touch pad,keyboard, microphone, joystick, game pad, satellite dish, scanner, TVtuner card, digital camera, digital video camera, web camera, and thelike. These and other input devices connect to the processing unit 1214through the system bus 1218 via interface port(s) 1238. Interfaceport(s) 1238 include, for example, a serial port, a parallel port, agame port, and a universal serial bus (USB). Output device(s) 1240 usesome of the same type of ports as input device(s) 1236. Thus, forexample, a USB port may be used to provide input to computer 1212 and tooutput information from computer 1212 to an output device 1240. Outputadapter 1242 is provided to illustrate that there are some outputdevices 1240 like monitors, speakers, and printers, among other outputdevices 1240 that require special adapters. The output adapters 1242include, by way of illustration and not limitation, video and soundcards that provide a means of connection between the output device 1240and the system bus 1218. It should be noted that other devices and/orsystems of devices provide both input and output capabilities such asremote computer(s) 1244.

Computer 1212 can operate in a networked environment using logicalconnections to one or more remote computers, such as remote computer(s)1244. The remote computer(s) 1244 can be a personal computer, a server,a router, a network PC, a workstation, a microprocessor based appliance,a peer device or other common network node and the like, and typicallyincludes many or all of the elements described relative to computer1212. For purposes of brevity, only a memory storage device 1246 isillustrated with remote computer(s) 1244. Remote computer(s) 1244 islogically connected to computer 1212 through a network interface 1248and then physically connected via communication connection 1250. Networkinterface 1248 encompasses communication networks such as local-areanetworks (LAN) and wide-area networks (WAN). LAN technologies includeFiber Distributed Data Interface (FDDI), Copper Distributed DataInterface (CDDI), Ethernet/IEEE 1102.3, Token Ring/IEEE 1102.5 and thelike. WAN technologies include, but are not limited to, point-to-pointlinks, circuit switching networks like Integrated Services DigitalNetworks (ISDN) and variations thereon, packet switching networks, andDigital Subscriber Lines (DSL).

Communication connection(s) 1250 refers to the hardware/softwareemployed to connect the network interface 1248 to the bus 1218. Whilecommunication connection 1250 is shown for illustrative clarity insidecomputer 1212, it can also be external to computer 1212. Thehardware/software necessary for connection to the network interface 1248includes, for exemplary purposes only, internal and externaltechnologies such as, modems including regular telephone grade modems,cable modems and DSL modems, ISDN adapters, and Ethernet cards.

What has been described above includes examples of the presentinvention. It is, of course, not possible to describe every conceivablecombination of components or methodologies for purposes of describingthe present invention, but one of ordinary skill in the art mayrecognize that many further combinations and permutations of the presentinvention are possible. Accordingly, the present invention is intendedto embrace all such alterations, modifications and variations that fallwithin the spirit and scope of the appended claims. Furthermore, to theextent that the term “includes” is used in either the detaileddescription or the claims, such term is intended to be inclusive in amanner similar to the term “comprising” as “comprising” is interpretedwhen employed as a transitional word in a claim.

1. A digital rights management system for use in an industrialenvironment comprising: a certification component that generatescertificates for local domain automation devices; and an accesscomponent that establishes rules of use for automation device servicesbased at least upon the identity of a user or entity as provided by acertificate.
 2. The system of claim 1, wherein the system is executed bya computer remotely located from the automation device.
 3. The system ofclaim 2, wherein communication between the automation device and thecertification and access components is over a local area network.
 4. Thesystem of claim 3, wherein communication is secured via digitalcertificates which bind public keys to specific users and/or entities tofacilitate decryption of a message as well as identification of asender.
 5. The system of claim 4, wherein the message is digitallysigned to enable the message to be authenticated.
 6. The system of claim1, wherein access to the access component is a restricted componentlimited to a particular user or group of users via certificates.
 7. Thesystem of claim 1, wherein the automation device includes an accesscredential component that defines and restricts access to particularobjects and services based on the identity of the user as established bya certificate.
 8. The system of claim 7, wherein the automation deviceincludes a virtual key component adapted to retrieve identifyinginformation from a certificate.
 9. The system of claim 7, wherein theaccess credential component also defines and restricts access based on apersonal id provided by a SIM card.
 10. The system of claim 9, whereinthe automation device includes a physical key component adapted toretrieve identifying information from the SIM card.
 11. The system ofclaim 1, wherein the automation device is one of a programmable logiccontroller, an I/O device, and a communication adaptor.
 12. A secureautomation device communication system comprising: a certificationcomponent; and a plurality of automation devices that interact with thecertification component to generate and receive certificates which bindpublic keys to specific automation devices to facilitate identificationof the devices that generate encrypted messages.
 13. The system of claim12, wherein the automation devices include programmable logiccontrollers, I/O devices, and communication adapters.
 14. The system ofclaim 12, wherein the automation devices communicate messages over alocal area network.
 15. The system of claim 12, wherein certificatescontain an automation device or user name or ID and a public keyassociated therewith.
 16. The system of claim 12, wherein thecertification component stores certificates in a certificate data storeisolated from automation devices.
 17. The system of claim 12, whereinautomation devices contain private keys to facilitate encryption and/ordecryption of messages.
 18. The system of claim 12, wherein a firstautomation device utilizes one key in a public private key pair tocreate a secure message component that is transmitted to a secondautomation device.
 19. The system of claim 18, wherein the secondautomation device receives the secure message component and utilizes theother key in a public private key pair to decrypt the message component.20. The system of claim 12, wherein messages are digitally signed andinclude a message, message digest, and information regarding a hashalgorithm.
 21. The system of claim 20, wherein the hash algorithm isMD5.
 22. A method of managing digital rights comprising: defining rulesof use concerning automation device program privileges; downloading therules to an automation device; limiting interaction with the automationdevice based on the rules and an identity of a user.
 23. The method ofclaim 22, wherein user identity is established via digital certificates.24. The method of claim 23, wherein user digital certificates aregenerated by a local area control component.
 25. The method of claim 23,wherein the user identity is established utilizing a SIM card.
 26. Themethod of claim 23, wherein user identity is established employingbiometrics.
 27. The method of claim 22, wherein user rules prohibitparticular users from viewing portions of an automation device program.28. The method of claim 22, wherein user rules prohibit particular usersfrom modifying a ladder logic program.
 29. A computer readable mediumhaving stored thereon computer executable instructions for carrying outthe method of claim
 22. 30. An industrial automation devicecommunication methodology comprising: encrypting a message to be sent toa automation device utilizing a key; and transmitting the encryptedmessage to the automation device.
 31. The methodology of claim 30further comprising: receiving an encrypted message from an automationdevice or device controller; locating a certificate component associatedwith the automation device sending the message; and decrypting themessage utilizing the public key provided by the certificate component.32. The method of claim 31, wherein the automation device is anindustrial programmable logic controller (PLC).
 33. The method of claim32, wherein the message is a PLC program.
 34. The method of claim 31,wherein locating the certificate component comprises searching localautomation device store.
 35. The method of claim 31, wherein locatingthe certificate comprises downloading the certificate from acertification component.
 36. A computer readable medium having storedthereon computer executable instructions for carrying out the method ofclaim
 31. 37. A method of industrial automation device communicationcomprising: generating a digitally signed message component comprising amessage, a message digest, and hash function data, wherein the messagecomponent is generated by a first industrial automation device; andtransmitting the message component to a second industrial automationdevice.
 38. The method of claim 37, further comprising encrypting themessage component prior to transmission.
 39. The method of claim 38,further comprising receiving and decrypting the message component. 40.The method of claim 37, further comprising authenticating the message byretrieving a hash function in accordance with the hash information,generating a message digest by applying the retrieved hash function tothe received message and comparing the generated message digest with themessage digest retrieved from the message component.
 41. A computerreadable medium having stored thereon computer executable instructionsfor carrying out the method of claim 37.